Backups are typically created on the same server as the TYPO3 instance
and often stored there as well. In this case, the backup files should
be copied to external systems to prevent data loss from a hardware
failure. If backups are only stored on the local system and an
attacker gains full control over the server, he might delete the
backup files. Protecting the external systems against any access from
the TYPO3 server is also highly recommended, so you should consider
“fetching” the backups from the TYPO3 system instead of “pushing” them
to the backup system.

When external systems are used they should be physically separated
from the production server in order to prevent data loss due to fire,
flooding, etc.

Please read the terms and conditions for your contract with the
hosting provider carefully. Typically the customer is responsible for
the backup, not the provider. Even if the provider offers a backup,
there may be no guarantee that the backup will be available. Therefore
it is good practice to transfer backups to external servers in regular
intervals.

In case you are also storing backups on the production server, make
sure that they are placed outside of the root directory of your
website and cannot be accessed with a browser. Otherwise everybody
could simply download your backups, including sensitive data, such as
passwords (not revealing the URL is not a sufficient measure from a
security perspective).